enable_disable_ip_restriction

This command allows you to specify one or more IP addresses for which you can restrict access by user type (SSH, GUI, or ALL).

When IP restriction is enabled, users can log into Guardium® only if they log in from an address that is on the alllowlist.

Warning: Always assign one or more IP addresses to the allowlist from which you can access Guardium. If you restrict access to all IP addresses available to users, you will permanently lock all of your users (and yourself) out of Guardium.

This API is available in Guardium V11.4 and later.

REST API syntax

This API is available as a REST service with the POST method. Call this API as follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/ip_restriction

GuardAPI syntax

enable_disable_ip_restriction parameter=value

Parameters

Parameter Value type Description
allowlist String A comma-separated list of IP addresses for which you want to allow (or restrict) access.
enable Boolean Required. Specify whether logins are restriced to the IP addresses that are specified in the allowlist. Valid values:
  • false (off) - Users can log in from any IP address.
  • true (on) - Users can log in only from specified addresses.

Default = 1 (true)

type String Required. Specify whether to restrict access to the CLI (SSH), the GUI, or both (ALL) for the IP addresses in the allowlist. Valid values:
  • ALL - Both SSH and GUI users.
  • GUI - Users who log into the Guardium GUI.
  • SSH - Users who log in to the CLI via SSH.
Note: You can run this command multiple times to create allowlists for different login types.
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.